a54c4c2c...549f | IOCs
Logo
Try VMRay Analyzer
VTI SCORE: 100/100
Dynamic Analysis Report
Classification:
Dropper
Threat Names:
VBS.ObfDldr.23.Gen
Gen:Variant.Midie.70770
Mal/HTMLGen-A

documeynt4565.wsf

Windows Script File

Created at 2020-02-24T15:56:00

...

Indicators

File (46)
»
Filename Hash Operations Category Severity
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\NGHvEOGrPRHHZU.dll MD5: 305d96335a600ea4b97c5629845f4e29
SHA1: 425af28f7c69f96a89d1784724cde4e4c3417d47
SHA256: dc9bffe02bc22d40ec5dd71efe9c27cdde2bab294fcef9ee5c3cb680760019ba
SSDeep: 24576:AXcfREnkuoLQV0cxhHGvnPra2DIYJJ4tY+ngj6bdW7WzB6:AXcfHCacXWnjJEaiNu6bd7w
ImpHash: 19dc63eda973bc8408853a85c14ecf4e 		Access, Create, Write Dropped File
Malicious
C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\documeynt4565.wsf MD5: 42ffb9ad1b4555f9080fbf94181b6f35
SHA1: 46a467d751787c9679c45b0d8f390ad526b75206
SHA256: a54c4c2c87771dde2fa649a4858a1036b3e8dda1756ed4dc3c9c179b9b33549f
SSDeep: 96:mCaQGDT4SZEW1FFuefsNXBAv03oAuCmCLGVQ8YYYYYNz:mP8q2Ly8o1Cqa8YYYYYt
ImpHash: - 		Sample File
Malicious
C:\ - Access
Not Available
C:\Users\5p5NrGJn0jS HALPmcxz - Access
Not Available
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\WindowsPowerShell\Microsoft.PowerShell_profile.ps1 - Access
Not Available
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\WindowsPowerShell\profile.ps1 - Access
Not Available
C:\Windows - Access
Not Available
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Config\machine.config - Access, Read
Not Available
C:\Windows\Microsoft.NET\Framework\v2.0.50727\Config\machine.config - Access, Read
Not Available
C:\Windows\SysWOW64\WindowsPowerShell\v1.0 - Access
Not Available
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Certificate.format.ps1xml - Access, Read
Not Available
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml - Access, Read
Not Available
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml - Access, Read
Not Available
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\FileSystem.format.ps1xml - Access, Read
Not Available
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\GetEvent.types.ps1xml - Access, Read
Not Available
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Help.format.ps1xml - Access, Read
Not Available
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Microsoft.PowerShell_profile.ps1 - Access
Not Available
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml - Access, Read
Not Available
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml - Access, Read
Not Available
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Registry.format.ps1xml - Access, Read
Not Available
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\WSMan.format.ps1xml - Access, Read
Not Available
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.config - Access
Not Available
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe - Access
Not Available
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\profile.ps1 - Access
Not Available
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\types.ps1xml - Access, Read
Not Available
C:\Windows\System32\CScript.exe - Access
Not Available
C:\Windows\System32\WindowsPowerShell\v1.0 - Access
Not Available
C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml - Access, Read
Not Available
C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml - Access, Read
Not Available
C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml - Access, Read
Not Available
C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml - Access, Read
Not Available
C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml - Access, Read
Not Available
C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml - Access, Read
Not Available
C:\Windows\System32\WindowsPowerShell\v1.0\Microsoft.PowerShell_profile.ps1 - Access
Not Available
C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml - Access, Read
Not Available
C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml - Access, Read
Not Available
C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml - Access, Read
Not Available
C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml - Access, Read
Not Available
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.config - Access
Not Available
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe - Access
Not Available
C:\Windows\System32\WindowsPowerShell\v1.0\profile.ps1 - Access
Not Available
C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml - Access, Read
Not Available
C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll - Access
Not Available
C:\Windows\system32 - Access
Not Available
C:\Windows\system32\ipconfig.exe - Access
Not Available
System Paging File - Access
Not Available
Registry (64)
»
Registry Key Name Operations
HKEY_CLASSES_ROOT\.wsf Access, Read
HKEY_CLASSES_ROOT\WSFFile\ScriptEngine Access
HKEY_CURRENT_USER Access
HKEY_CURRENT_USER\Environment Access
HKEY_CURRENT_USER\Environment\PSMODULEPATH Access, Read
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections Access
HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings Access, Create
HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings\DisplayLogo Access, Read
HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings\Enabled Access, Read
HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings\LogSecuritySuccesses Access, Read
HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings\Timeout Access, Read
HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings\TrustPolicy Access, Read
HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings\UseWINSAFER Access, Read
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds Access
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell Access
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell\path Access, Read
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\PipelineMaxStackSizeMB Access, Read
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections Access
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN Access
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN\StackVersion Access, Read
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings Access
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance Access
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance\First Counter Access, Read
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance\IsMultiInstance Access, Read
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance\Library Access, Read
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance Access
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance\CategoryOptions Access, Read
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance\Counter Names Access, Read
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance\FileMappingSize Access, Read
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog Access
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application Access
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell Access
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents Access
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell Access
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer Access
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell Access
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service Access
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell Access
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center Access
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center\PowerShell Access
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts Access
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\PowerShell Access
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security Access
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security\PowerShell Access
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System Access
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\PowerShell Access
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell Access
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell Access
HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell Access
HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1 Access
HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine Access
HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine\ApplicationBase Access, Read
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion Access
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\InstallationType Access, Read
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings Access, Create
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings\DisplayLogo Access, Read
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings\Enabled Access, Read
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings\IgnoreUserSettings Access, Read
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings\LogSecuritySuccesses Access, Read
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings\Timeout Access, Read
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings\TrustPolicy Access, Read
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings\UseWINSAFER Access, Read
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment Access
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment\PSMODULEPATH Access, Read
Mutex (1)
»
Mutex Name Operations
Global\.net clr networking Access
Domain (3)
»
Domain Sources Severity
arethatour.icu PCAP, Function Log
Blacklisted
certig.info PCAP, Function Log
Unknown
lotoposols.xyz Function Log
Unknown
URL (1)
»
URL Operations Category Severity
https://lotoposols.xyz post Contacted
Unknown
IP (3)
»
IP Protocols Sources
185.101.93.139 TCP, HTTPS PCAP, Function Log
31.214.157.14 HTTP, TCP, DNS, HTTPS PCAP, Function Log
8.209.79.239 TCP, DNS, HTTPS PCAP, Function Log
Export to TXT Export to JSON
Function Logfile
Download-Icon
Exit-Icon

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy". 


    

   

   

    Before
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    After
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    

     
      

       
       
       
       
      

     
     
     
    

   

  

  

   

    
    

     Screenshot
    

    

     Expand-Icon
    

    

     Exit-Icon
    

   

   

    

     icon_left
    

    

     icon_left
    

   

   

   

   

    image